While in London, UK for a conference recently, I discovered that many different areas take ownership of BCM – some understand what BCM is and others don’t. In fact, in some instances its owned by a technology team and in others its owned by non-technology teams. Once again though, BCM ends up being on one side of the fence when it should be in the middle of both business and technology so that it gets the right focus and equal share of responsibility. In other words it shouldn’t just be on one side of the other.
Recently, some organizations have placed BCM in the Risk Management department, along with compliance, audit and Information Security. I think this is a great idea because BCM can bridge between the two sides of an operation – most commonly referred to as the “business” and “technology”. When this happens the BCM practitioners can ensure that the right teams on both sides of the fence talk to each other to obtain the best information possible to build a comprehensive BCM program. In fact, if BCM is in the middle of the two then its possible to remove the fence altogether because there is no need to have a barrier between the two entities.
When this organizational structure is established, both parties (business and technology) can then work closer together. The BCM practitioner should no longer take sides but be able to utilize their skills to bridge any gaps without either side believing they are being swayed in a particular direction or that one side is trying to bully the other into doing specific actions, they may not want to do or fully agree with. The practitioner can bring both sides together to help bring the proper BCM progam principles into play when building the program and help stimulate discussions between the two groups. This is the best set up possible.
Things don’t work well when one side owns BCM; either IT or business. When one or the other owns the program and the program responsibilities, there tends to be focus over the fence at what the other is doing – or not doing – and what both sides end up working in isolations. Or – as I’ve experienced before – the sides simply don’t listen to each other and work building two separate programs built upon all sorts of assumptions that have never been validated.
For example, when a disaster occurs, business teams automatically believe that technology knows whats important to its needs and has the right restoration and recovery processes in place to address its needs. However, what happens often is that technology will build its own process to address what it believes is important – not what the business thinks is important, and not even what is important to corporation. No one is working on the same page and everyone is walking in a different direction. When this occurs its no wonder plans don’t work out and things don’t go the way people expect during a disaster.
So who should own BCM? I believe it should be the bridge between technology and business teams to ensure that what plans, contingencies and strategies get developed, actually meet the needs to the organization as a whole – not meet the needs of the program owner (assuming its either business or technology). When the BCM department resides between both sides of the organization, it helps stimulate dialogue (remember communication is dialogue, not monologue) and builds a more resilient and prominent program.